mozilla-central/security/ct/CTPolicyEnforcer.h (file symbol)

Source code

Revision control

Copy as Markdown

Other Tools

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef CTPolicyEnforcer_h
#define CTPolicyEnforcer_h
#include "CTLog.h"
#include "CTVerifyResult.h"
#include "mozpkix/Result.h"
#include "mozpkix/Time.h"
namespace mozilla {
namespace ct {
// A helper enum to describe the result of running CheckCTPolicyCompliance on a
// collection of verified SCTs.
enum class CTPolicyCompliance {
// The connection complied with the certificate policy
// by including SCTs that satisfy the policy.
Compliant,
// The connection did not have enough valid SCTs to comply.
NotEnoughScts,
// The connection had enough valid SCTs, but the diversity requirement
// was not met (the number of CT log operators independent of the CA
// and of each other is too low).
NotDiverseScts,
};
// Checks the collected verified SCTs for compliance with the CT policy.
// The policy is based on Chrome's policy as described here:
// This policy (as well as Chrome's), is very similar to Apple's:
// Essentially, the policy can be satisfied in two ways, depending on the
// source of the collected SCTs.
// For embedded SCTs, at least one must be from a log that was Admissible
// (Qualified, Usable, or ReadOnly) at the time of the check. There must be
// SCTs from N distinct logs that were Admissible or Retired at the time of the
// check, where N depends on the lifetime of the certificate. If the
// certificate lifetime is less than or equal to 180 days, N is 2. Otherwise, N
// is 3. Among these SCTs, at least two must be issued from distinct log
// operators.
// For SCTs delivered via the TLS handshake or an OCSP response, at least two
// must be from a log that was Admissible at the time of the check. Among these
// SCTs, at least two must be issued from distinct log operators.
//
// |verifiedSct| - SCTs present on the connection along with their verification
// status.
// |certLifetime| - certificate lifetime, based on the notBefore/notAfter
// fields.
CTPolicyCompliance CheckCTPolicyCompliance(const VerifiedSCTList& verifiedScts,
pkix::Duration certLifetime);
} // namespace ct
} // namespace mozilla
#endif // CTPolicyEnforcer_h